Detail of a calendar page with dates

A Week in Security (Feb 28 – Mar 05)

Last week, we touched on a Facebook video spam, a fake Google Docs phishing site, and a technical yet comprehensive (at least to those who know coding) tut on how to deobfuscate malicious VBScript files.

When the ransomware variant known as Locky began to make headlines, malware analyst Hasherezade dissected several samples and explained their behaviour in terms of what changes they make to affected systems and how the target files are encrypted. She also detailed how this ransomware communicates with its command-and-control (CnC) server and concluded that, in spite of how solid the code was written and well-prepared the campaign may seem, Locky was no different from our average ransomware. You can read her full analysis on the piece entitled “Look Into Locky Ransomware”.

Senior security researcher Jérôme Segura pushed out a white paper for Operation Fingerprint, a research initiative made possible by the combined efforts of Malwarebytes and GeoEdge. The paper “provides a unique insight into malvertisers’ thought processes, showing how they remain one step ahead while the ad industry tries to avoid playing Whack-a-Mole.”

For our first PUP Friday post this month of March, we looked into Dotdo FastInternet, an adware PUP that is known to prevent users from accessing security related domains.

Notable news stories and security related happenings:

  • Snapchat Employee Data Leaks Out Following Phishing Attack. “Snapchat has had hacking problems in the past. The service leaked some 200,000 photos from users back in 2014 when unofficial third-party apps were compromised, but on this occasion the circumstances and outcome are different. For one thing, Snapchat said that no user data was affected, while the company is shouldering the blame for the issue.” (Source: TechCrunch)
  • Apple vs FBI Shines Spotlight on RSA Conference. “The World Economic Forum predicts that crimes in cyberspace will cost the global economy $445 billion this year. At the same time, the number of smartphone users worldwide is expected to cross 2.1 billion, making the Apple vs. the FBI battle around the issues of encryption and privacy relevant to almost a third of the global population.” (Source: CNBC)
  • Angler Exploit Kit Learns New Tricks, Finds Home On Popular Website. “Karl Sigler, a SpiderLabs researcher at Trustwave, told Threatpost his lab found the Angler Exploit Kit on a popular website for the second time in a week, exposing just under million visitors monthly to possible TeslaCrypt ransomware infections.” (Source: ThreatPost)
  • Card “Verification” Now Offered “As a Service” by Brazilian Cybercriminals. “What exactly is card verification? This checks if stolen/newly generated credit card numbers work by attempting to charge small amounts. An attacker would upload the credentials on CheckerCC and the service would automatically check which numbers work. Traditionally, crooks in the Brazilian underground would use a program on their computer to do this.” (Source: Trend Micro’s TrendLabs Intelligence Blog)
  • Study: Asia-Pacific’s “Cyber Five” Nations More Vulnerable to Cyberattack. “The ‘Cyber Five’ nations — South Korea, Australia, New Zealand, Japan, and Singapore — appear nine times more vulnerable to cyber attack than other Asian economies, according to the 2016 Asia-Pacific Defense Outlook released by Deloitte Touche Tohmatsu Limited (DTTL).” (Source: Enterprise Innovation)
  • The Rise of Polymorphic Malware. “The data collected by Webroot throughout 2015 shows that today’s threats are truly global and highly dynamic. Many attacks are staged, delivered, and terminated within a matter of hours, or even minutes, having harvested user credentials and other sensitive information. Countering these threats requires an innovative approach to attack detection that leverages advanced techniques and up-to-the-second threat intelligence.” (Source: Help Net Security)
  • The “HawkEye” Attack: How Cybercrooks Target Small Businesses for Big Money. “And, let’s face it, just opening a document isn’t supposed to be dangerous, so you can understand why people take the chance. The danger comes from missing patches that allow crooks to create cunningly-malformed files that crash your Word application and leave them in temporary programmatic control of your computer. The booby-trapped document then takes advantage of this temporary control to download and install an item of malware chosen by the crooks.” (Source: Sophos’s Naked Security Blog)
  • Children Given Key to the Internet First, House Keys Second. “22 percent of the 1000 British parents surveyed said they allow their children, aged under seven years, to surf the internet unsupervised, while the average age was 9.5. In comparison, the average age at which British parents give their children their own set of house keys is 10.8. These findings highlight that despite being protective of their children’s physical safety, parents are still not recognizing dangers of the internet.” (Source: IT Security Guru)
  • Beware Of Social Media and Cybersecurity. “Hollywood is responsible for the perception that hackers are overweight guys, sitting in a dark basement, hammering away at a computer. You hear tap, tap, tap. Suddenly there is an eureka moment. The hacker hammers the enter key, and says, ‘We’re in’. O’Neill is trying to dispel that myth.” (Source: Forbes)
  • HackingTeam Releases New Malware Targeting Mac. “For the past few weeks, security researchers from Palo Alto Networks, SentinelOne, and Synack have been analyzing a new malware sample targeting Mac OS X, which appears to be the work of the infamous HackingTeam.” (Source: Softpedia)
  • Our Personal Security is Our National Security. “Strong encryption is good for our personal security. There are very few people who would disagree with that statement. We want to protect our personal information from cyber criminals of all sorts. It’s why we demand secure channels of communication from our device manufacturers and software developers alike. But I’ll go even further and say that strong encryption is good for, and in fact vital to, our national security.” (Source: The Hill)
  • Krebs: Wendy’s Breach Losses May Exceed Those of Target, Home Depot Incidents. “The financial loss to credit unions affected by the Wendy’s data breach uncovered earlier this month appears to be on pace to surpass damages incurred from the high-profile Target and Home Depot breach incidents, according to a report from Krebs on Security.” (Source: SC Magazine)
  • ‘Accessibility Clickjacking’ Malware could Impact 500 Million Android Devices. “Researchers at threat defense company Skycure have uncovered an Android proof of concept malware that uses accessibility services to allow attackers to spy on and even control a device. It can monitor all of a victim’s activity and allow attackers to read, and possibly compose, corporate emails and documents via the victim’s device, as well as elevating their permissions to remotely encrypt or even wipe the device.” (Source: Beta News)
  • Facebook: A New Command and Control HQ for Mobile Malware. “Researchers have shown off a new way to evade the security mechanisms in Android and iOS – by using social networks as command and control servers. The team, from Israeli security firm Skycure, said Google and Apple have made great strides in keeping malware out of their official software stores by scanning submitted code for malware and bad practices.” (Source: The Register)
  • Dark Web Drugs, Data Dumps and Death: Which Countries Specialize in What Services? “Over the past few years, Trend Micro has conducted a number of research projects focusing on these areas and the underground economy at large. Within the latest research paper, Trend Micro focuses on comparisons between different countries, their users and their online activities.” (Source: ZDNet)
  • Researchers Discover Major Security Breach in 3D Printing Technology. “Researchers from the University of California, Irvine have discovered what may amount to a major security breach in the 3D printing process: the source code of any 3D printer can be easily recorded and reverse engineered, allowing hackers to reverse-engineer 3D-printed objects and potentially engage in corporate espionage.” (Source: Neowin)
  • Weak Default Credentials, Command Injection Bug Found in Building Operation Software. “A vulnerability in servers programmed with Schneider Electric’s StruxureWare Building Operation software can be exploited by a low-skilled, remote attacker to gain access to the servers and make changes that could affect a building’s security. What’s more, the software was also shipped with weak default user credentials that administrators weren’t required to change when setting up the system.” (Source: Help Net Security)
  • These Engineers are Developing Artificially Intelligent Hackers. “Could you invent an autonomous hacking system that could find and fix vulnerabilities in computer systems before criminals could exploit them, and without any human being involved? That’s the challenge faced by seven teams competing in Darpa’s Cyber Grand Challenge in August.” (Source: The Guardian)
  • IoT Security: Industry Finally Waking Up To The Dangers. “For the last several years, Internet of Things security has been one of the most hotly debated topics at Mobile World Congress. This year, however, IoT security took on a new sense of urgency as more devices are being connected and the technology turns mainstream.” (Source: Information Week)
  • Android Triada Trojan ‘As Complex As Any Windows Malware’. “The security firm added that the complexity of Triada’s functionality proves that professional cyber criminals with a deep understanding of the targeted mobile platform are behind the creation of this malware. Kaspersky warned that it is nigh on impossible to rid a device of the malware if it is infected.” (Source: V3)
  • Unmanaged Wearables Infiltrating the Enterprise, According to Centrify RSA Survey. “First and foremost, 69 percent of wearable device owners say they forego login credentials, such as PINs, passwords, fingerprint scanners and voice recognition, to access their devices. 56 percent of wearable owners use their devices to access business apps such as Box, Slack, Trello, Dropbox, Salesforce, Google Docs, Microsoft Office or a combination of those. Perhaps most alarming, despite the lack of login credentials and ready access to corporate data, 42 percent of wearable owners cite identity theft as their top security concern when it comes to their devices” (Source: Business Wire)

Safe surfing, everyone!

The Malwarebytes Labs Team